SystemBC new proxy malware being distributed via Fallout and RIG EK
A new piece of malware known as SystemBC has been discovered by experts at Proofpoint, it is being distributed via exploit kits like Fallout and RIG. The malware was tracked as “SystemBC” based on the URI path shown in the advertisement’s panel screenshots.
In the most recently tracked example, the Fallout exploit is used to download the Danabot banking Trojan and a SOCKS5 proxy which is used on the victim’s Windows system to evade detection of command and control (C&C) traffic. The synergy between SystemBC as a malicious proxy and mainstream malware creates new challenges for defenders relying on network edge detections to intercept and mitigate threats like banking Trojans.
2019-05-01: {New] #Malware #Loader/Installer "start2" Arg 🤔 | #Signed
— Vitali Kremez (@VK_Intel) May 2, 2019
[BEAT GOES ON LIMITED] 🙃
Emsisoft Anti-Malware\a2guard.exe Checker |
“start2” Thread Argument <-> task scheduler
h/t @malwrhunterteam
MD5: 452f68dd3aaf36c37ecb1c49e86814f4 pic.twitter.com/EmKn1EXQY8
Further details can be found here
Indicators of Compromise (IOCs)
SHA256
e8627abf6b2e9ccebbc544d485b4e2bccd22580b4dc7ba8510d4e4e8bba63fc9
893305fd80eb324b262406c60496163ed4ff73dad679f1bd543ff703de457f91
3261f0e45d867236d4794b2a3dce38663bb319a6fabec7ae07fac3237e474689
9024a3ec7df6ef51f69c2e452da26d3a45743fd1c49b2d59beeb83be0949fe06
20a7cfcaf76890ad5e959e5662f421f41126d3ee1edace8f5531f8effecb6051
6269d9ce2adb19a46bffefe50c9b3e00974c4dc8f4c2dc0156545707efb4f453
URLs and IPs
mie[.crypto-crypto[.site
gougounu[.site
dsntu[.top
elienne[.net
amnsns[.com
hxxp://mmasl[.com/s1.exe
hxxp://calacs-laurentides[.com/s1.ex
146.0.75.34
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.